Why
The suite is unit tests only (450 across 25 files) — every cycle test uses an in-memory mock AppClient, and the two fetch-touching tests inject a fake via fetchImpl. Nothing exercises warden against real GitHub. CI runs tsc, npm test, the action-bundle freshness check, and a self-dogfood chant audit . — none hit a live org.
This gap matters most for the App-only, platform-walled cycles whose request shapes can't be validated by mocks:
and more generally for confirming every cycle's fetch→diff→apply contract against the actual API.
Proposal
A gated e2e harness, excluded from the default CI test job:
npm run test:e2e (separate vitest project/config; not part of npm test).- Authenticates as a real GitHub App installed on a throwaway test org (creds from CI secrets / local env).
- Phase 1 — dry-run only (safe): for each cycle, run
fetchLive + diff against the test org and assert the request paths/shapes and that no mutating calls are made. Catches API-contract drift without changing anything.
- Phase 2 — teardown-guarded apply (opt-in): a small set of apply round-trips against disposable resources (e.g. create a repo via
repo-baseline, set a label/topic, then revert), each guarded by a cleanup step. Run only with an explicit WARDEN_E2E_APPLY=1.
- A separate scheduled CI workflow (e.g. nightly) with the test-org App credentials, so it never blocks PRs.
Open questions
- Dry-run-only to start, or include the teardown-guarded apply path from day one?
- Which org / App installation to use, and where the credentials live.
Context: flagged during the post-publish cycle build-out (PRs #22–#35); see the caveat note on epic #2.
Why
The suite is unit tests only (450 across 25 files) — every cycle test uses an in-memory mock
AppClient, and the twofetch-touching tests inject a fake viafetchImpl. Nothing exercises warden against real GitHub. CI runstsc,npm test, the action-bundle freshness check, and a self-dogfoodchant audit .— none hit a live org.This gap matters most for the App-only, platform-walled cycles whose request shapes can't be validated by mocks:
token-governance(cycle: token governance (scheduled sweep) #15) — list/revoke fine-grained PAT grantstoken-approval(cycle: token approval #16) — list/approve/deny PAT requestsand more generally for confirming every cycle's fetch→diff→apply contract against the actual API.
Proposal
A gated e2e harness, excluded from the default CI
testjob:npm run test:e2e(separate vitest project/config; not part ofnpm test).fetchLive+diffagainst the test org and assert the request paths/shapes and that no mutating calls are made. Catches API-contract drift without changing anything.repo-baseline, set a label/topic, then revert), each guarded by a cleanup step. Run only with an explicitWARDEN_E2E_APPLY=1.Open questions
Context: flagged during the post-publish cycle build-out (PRs #22–#35); see the caveat note on epic #2.